Description of problem:
Originally, the CVE-2006-0987 identifier has been assigned to the following issue:
The default configuration of ISC BIND, when configured as a caching name server, allows recursive queries and provides additional delegation information to arbitrary IP addresses, which allows remote attackers to cause a denial of service (traffic amplification) via DNS queries with spoofed source IP addresses.
This issue is covered in the bug #873618 (the bind package as shipped with Red Hat Enterprise Linux 6 is not affected by this issue in the default configuration).
But in the configuration where bind is configured to listen for requests from authorized clients, the DDoS attack might be possible.
Therefore the point of this bug is to request backport of DNS RRL patch suggested by Adam Tkac:
http://www.redbarn.org/dns/ratelimits
which would help mitigate the impact of DDoS attacks also for these configurations.
But since Red Hat Security Response Team would not consider this backport to be correcting a security flaw (its more a security hardening for a non-default configuration), it is reported under this record.
Version-Release number of selected component (if applicable):
bind-9.8.2-0.10.rc1.el6_3.5
Additional info:
See bug #873618 and its References for further details.

Note that it _is_ a security flaw.
Allowing our servers to become a functional part of an amplification attack is a security risk. It could damage the network the server is running in (as well as our reputation)
However, this is more a problem for bind when it is an authoritative server, not when it is a recursive server. The amplification bounces of the authoritative name servers, which _DO_ need to listen/answer to the world at large.
I believe it is prudent to apply the patch, and leave a commented out rate limit section in the named.conf file, so that _when_ people are being abused in an amplification attack, they have the option of simply enabling the rate limit option without the requirement for recompiles of a patched bind.
The patch has been tested on authoritatve servers powering large TLDs.

We just hit this today with the fedoraproject.org servers. ;(
An official package with the patches would be most welcome.
I can only imagine other places have hit this same issue, or will moving forward.